Retail group takes a swipe at PCI, puts card companies 'on notice'
Stop forcing retailers to store payment card data, it warns card companies
October 4, 2007 12:00 PM ETComputerworld - Simmering discontent within the retail industry over the payment card industry (PCI) data security standards erupted into the open this week with the National Retail Federation (NRF) asking credit card companies to stop forcing retailers to store payment card data.
In a tersely worded letter to the PCI Security Standards Council, which oversees implementation of the standard, NRF CIO David Hogan asked credit card companies to stop making retailers "jump through hoops to create an impenetrable fortress" to protect card data. Instead, "retailers want to eliminate the incentive for hackers to break into their systems in the first place."
"With this letter, we are officially putting the credit card industry on notice," Hogan said in a statement. The NRF, a trade association whose membership includes most of the major retailers in the U.S., is the national voice for about 1.4 million U.S retail establishments.
In an interview with Computerworld this morning, Hogan said the letter was provoked by a "lot of frustration" in the industry about PCI guidelines and the deadlines associated with implementing them. If the goal of PCI is to protect credit card data, the easiest and most common sense approach is to stop requiring merchants to store the data in the first place, he said.
PCI is a data security standard mandated by Visa International Inc., MasterCard International Inc., American Express Co., Discover and the Japan Credit Bureau. It requires companies to implement a set of prescribed security controls for protecting cardholder data. Though the requirements went into affect more than two years ago, a large number of big retailers are still noncompliant because of a variety of issues that include legacy system challenges, rules interpretation issues and continuously evolving guidelines.
According to Hogan, credit card companies require retailers and others accepting payment card transactions to store certain card data sometimes for up to 18 months so that it can be retrieved in the event of chargebacks and other disputes.
But rather than have thousands of retailers store the data, credit card companies and their banks should do so, Hogan said. Retailers only need an authorization code provided at the time of a sale to validate a charge, and a receipt with truncated credit card information to handle returns and refunds. If that were done, he said, most retailers probably wouldn't store any cardholder data.
According to Hogan, under the current process, credit card companies and their banks already have the information needed for retrieval purposes and it should be their responsibility to store and protect the data. "It is a very fundamental shift. But if you think about it, it is a very common-sense approach."
National Retail Foundation
Additional Resources



Learn the important issues you must consider before starting your next mobility initiative. Get your mobility white paper from IDC now, compliments of Sybase.
White Papers & Webcasts
Share our Strength
Download Now
Lower the Cost and Complexity of a Mobile Workforce through Automation
Download This Resource Now!
Top 10 Things to Know about Data Protection
Download Now
Managing Mobility: Improve Data Security, Compliance and Manageability
Download This Resource Now!
Managing Secure File Transfer to Save Time, Money and IT Resources
Learn how companies are using innovative technology to overcome these challenges and improve user productivity by offloading e-mail attachments and replacing FTP with...
Ponemon Study: The Business Risk of a Lost Laptop
Download Now
Security Convergence Equals Network Security Cost Savings
Listen to IBM Internet Security Systems' take on network security convergence.
Airport Insecurity: The Case of Lost Laptops
Download Now
Disaster Recovery 2008: Reduced Costs and Improved Performance
How long can your Enterprise afford to be without your data? With an accelerated disaster recovery program, you never have to answer this...
